[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1040865: marked as done (bullseye-pu: package yajl/2.1.0-3+deb11u2)

Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id <84bb5ff8312f749ebe536897993782bf35aa1977.camel@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1040865,
regarding bullseye-pu: package yajl/2.1.0-3+deb11u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1040865: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040865
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: yajl@packages.debian.org
Control: affects -1 + src:yajl

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: yajl@packages.debian.org
Control: affects -1 + src:yajl

Previous o-s-p-u upload was #1040137; two additional CVEs have
been fixed since then and the fix for CVE-2023-33460 has been found
to be incomplete.

This upload is part of fixing yajl for every release. So far sid, buster
(DLA-3492), stretch and jessie (ELA-892-1) has been targeted.
bookworm s-p-u is pending, see #1040863

CVE-2017-16516

When a crafted JSON file is supplied to yajl, the process might
crash with a SIGABRT in the yajl_string_decode function in
yajl_encode.c. This results potentially in a denial of service.

CVE-2022-24795

The 1.x branch and the 2.x branch of `yajl` contain an integer overflow
which leads to subsequent heap memory corruption when dealing with large
(~2GB) inputs.

CVE-2023-33460

There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function,
which potentially cause out-of-memory in server and cause crash.


[ Risks ]
Required changes are minimal, see debdiff. Package testsuite passes.

[ Checklist ]
  [x *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable


For unstable, the fixes are in 2.1.0-5. I have already uploaded to the s-p-u queue.

diff -Nru yajl-2.1.0/debian/changelog yajl-2.1.0/debian/changelog
--- yajl-2.1.0/debian/changelog	2023-07-02 13:31:39.000000000 +0200
+++ yajl-2.1.0/debian/changelog	2023-07-11 19:55:30.000000000 +0200
@@ -1,3 +1,15 @@
+yajl (2.1.0-3+deb11u2) bullseye; urgency=medium
+
+  [Tobias Frost]
+  * Non-maintainer upload.
+  * Cherry pick John's CVE fixes from 2.1.0-4 and 2.1.0-5
+
+  [John Stamp]
+  * Patch CVE-2017-16516 and CVE-2022-24795 (Closes: #1040036)
+  * The patch for CVE-2023-33460 turned out to be incomplete. Fix that. (Closes: #1039984)
+
+ -- Tobias Frost <tobi@debian.org>  Tue, 11 Jul 2023 19:55:30 +0200
+
 yajl (2.1.0-3+deb11u1) bullseye; urgency=medium
 
   * Non-maintainer upload.
diff -Nru yajl-2.1.0/debian/patches/CVE-2017-16516.patch yajl-2.1.0/debian/patches/CVE-2017-16516.patch
--- yajl-2.1.0/debian/patches/CVE-2017-16516.patch	1970-01-01 01:00:00.000000000 +0100
+++ yajl-2.1.0/debian/patches/CVE-2017-16516.patch	2023-07-10 19:32:01.000000000 +0200
@@ -0,0 +1,22 @@
+Description: Fix for CVE-2017-16516
+ Potential buffer overread: A JSON file can cause denial of service.
+Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/248
+---
+ src/yajl_encode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/yajl_encode.c
++++ b/src/yajl_encode.c
+@@ -139,8 +139,8 @@
+                     end+=3;
+                     /* check if this is a surrogate */
+                     if ((codepoint & 0xFC00) == 0xD800) {
+-                        end++;
+-                        if (str[end] == '\\' && str[end + 1] == 'u') {
++                        if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') {
++                            end++;
+                             unsigned int surrogate = 0;
+                             hexToDigit(&surrogate, str + end + 2);
+                             codepoint =
diff -Nru yajl-2.1.0/debian/patches/CVE-2022-24795.patch yajl-2.1.0/debian/patches/CVE-2022-24795.patch
--- yajl-2.1.0/debian/patches/CVE-2022-24795.patch	1970-01-01 01:00:00.000000000 +0100
+++ yajl-2.1.0/debian/patches/CVE-2022-24795.patch	2023-07-10 19:32:01.000000000 +0200
@@ -0,0 +1,30 @@
+Description: Fix for CVE-2022-24795
+ An integer overflow will lead to heap memory corruption with large (~2GB) inputs.
+Origin: https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/239
+---
+ src/yajl_buf.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/src/yajl_buf.c
++++ b/src/yajl_buf.c
+@@ -45,7 +45,17 @@
+ 
+     need = buf->len;
+ 
+-    while (want >= (need - buf->used)) need <<= 1;
++    if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
++        /* We cannot allocate more memory than SIZE_MAX. */
++        abort();
++    }
++    while (want >= (need - buf->used)) {
++        if (need >= (size_t)((size_t)(-1)<<1)>>1) {
++            /* need would overflow. */
++            abort();
++        }
++        need <<= 1;
++    }
+ 
+     if (need != buf->len) {
+         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
diff -Nru yajl-2.1.0/debian/patches/CVE-2023-33460.patch yajl-2.1.0/debian/patches/CVE-2023-33460.patch
--- yajl-2.1.0/debian/patches/CVE-2023-33460.patch	2023-07-02 13:30:08.000000000 +0200
+++ yajl-2.1.0/debian/patches/CVE-2023-33460.patch	2023-07-11 19:54:44.000000000 +0200
@@ -1,17 +1,32 @@
-From 23a122eddaa28165a6c219000adcc31ff9a8a698 Mon Sep 17 00:00:00 2001
-From: "zhang.jiujiu" <282627424@qq.com>
-Date: Tue, 7 Dec 2021 22:37:02 +0800
-Subject: [PATCH] fix memory leaks
-
+Description: Fix for CVE-2023-33460a
+ Memory leak in yajl 2.1.0 with use of yajl_tree_parse function
+ See https://github.com/lloyd/yajl/issues/250#issuecomment-1628695214
+Origin: https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039984
+Bug: https://github.com/lloyd/yajl/issues/250
 ---
- src/yajl_tree.c | 3 +++
- 1 file changed, 3 insertions(+)
+ src/yajl_tree.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
 
 --- a/src/yajl_tree.c
 +++ b/src/yajl_tree.c
-@@ -445,6 +445,9 @@
+@@ -143,7 +143,7 @@
+     ctx->stack = stack->next;
+ 
+     v = stack->value;
+-
++    free (stack->key);
+     free (stack);
+ 
+     return (v);
+@@ -444,7 +444,14 @@
+              snprintf(error_buffer, error_buffer_size, "%s", internal_err_str);
               YA_FREE(&(handle->alloc), internal_err_str);
          }
++        while(ctx.stack != NULL) {
++             yajl_val v = context_pop(&ctx);
++             yajl_tree_free(v);
++        }
          yajl_free (handle);
 +	//If the requested memory is not released in time, it will cause memory leakage
 +	if(ctx.root)
diff -Nru yajl-2.1.0/debian/patches/series yajl-2.1.0/debian/patches/series
--- yajl-2.1.0/debian/patches/series	2023-07-02 13:30:08.000000000 +0200
+++ yajl-2.1.0/debian/patches/series	2023-07-11 19:17:44.000000000 +0200
@@ -1,3 +1,5 @@
 dynamically-link-tools.patch
 multiarch.patch
+CVE-2017-16516.patch
+CVE-2022-24795.patch
 CVE-2023-33460.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.8

Hi,

The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.

Regards,

Adam

--- End Message ---
Reply to: